Türkçe
Español
One of the core developers of ENS became the target of a cyber attack, highlighting how vulnerable cryptocurrency investors can be. Even professionals can fall prey to these traps, potentially resulting in significant losses for a large portion of the crypto investing community. What are the details of this incident? What should investors be cautious about?
Google Vulnerabilities and Cryptocurrencies
Cybercriminals continue to pursue unjust gains using various methods. Fake product advertisements, AI-driven deceptive investment opportunity videos, viruses, and phishing attacks make it imperative for investors to exercise extreme caution.
Nick, a well-known name in the crypto community, fell victim to attackers using two unresolved security vulnerabilities in Google’s infrastructure.
“Recently, I was targeted by a highly sophisticated phishing attack, which I want to emphasize here. This attack exploits a security flaw in Google’s infrastructure, and since they refuse to fix it, we can expect to see such attacks more frequently. Here is the email I received;”
“The first thing to note is that this is a valid, signed email – it was indeed sent from no-reply@googlecom. It passes DKIM signature checks, and Gmail displays it without any warnings – even placing it in the same thread as other legitimate security alerts.”
DKIM (DomainKeys Identified Mail) is a security protocol that verifies the identity of the email sender and guarantees that the email has not been altered in transit.
Details of the Attack
To enhance the credibility of a fake website, attackers utilize Google’s site feature to easily lure their victims at the moment of shock. The site link directs you to a very convincing “support portal” page, where attackers urge the victim to log into their account.
“Here’s how it works: First, they register a domain name and create a Google account for ‘me@domain.’ The domain name isn’t crucial, but it helps it appear like a form of infrastructure. As you’ll see shortly, choosing ‘me’ as the username is clever.
Next, they create a Google OAuth application. For the application’s name, they input *the entire text of the Phishing message* – including new lines – followed by multiple spaces and “Google Legal Support.”
They grant access permissions to the OAuth application for the ‘me@…’ address. This generates a ‘Security Warning’ message sent from Google to the ‘me@…’ email addresses. Since the email is generated by Google, it is signed with a valid DKIM key and passes all checks.
Finally, they relay the message to the victims. DKIM only validates the message and header, confirming the envelope; therefore, the message passes signature validation and appears as a legitimate message in the user’s inbox – even within the same thread as legitimate security alerts.
Because they label Google accounts as ‘me@’, Gmail indicates that the message was sent to ‘me’ at the top; this avoids another indicator that might raise red flags.
I reported this issue to Google; unfortunately, they closed it by stating, ‘It Works As Intended,’ explaining they do not see this as a security flaw. Clearly, I disagree – but until they change their minds, be cautious of deceptive security alerts from Google.”
This complex hacking method seems to be used by more professional attackers. However, average cryptocurrency investors could also fall victim as methods become more widespread. Therefore, ensure you check the URL bar multiple times during all login sessions to confirm you are on the original website and login page. Be cautious with emails that excite you (lawsuits, account closures, etc.) and verify everything more than once before taking action.
Additionally, refrain from using the email address associated with exchanges for any other purposes, and note that complex email addresses composed of letters and numbers are less likely to be targeted in potential attack emails.
